Zero-day vulnerabilities and bounty programs

Standard advice for maintaining your own protection against cyber-attacks is to ensure all your devices are running the most recent releases of software.

This applies to your antivirus programs and virus definitions, but also to your web browser, operating system, office applications and games. With so many interconnected devices in the home, it becomes even more important to maintain this level of protection. But how do companies and software vendors find out about the vulnerabilities?

Security researchers tend to measure the time elapsed between a discovery of a vulnerability and the release by a software vendor of a patch fixing that vulnerability. A vulnerability which is unknown to the software vendor is the most dangerous class, known as a Zero-day vulnerability. In the period between a security researcher (either benign or malicious) discovering a vulnerability and the vendor becoming aware and issuing a patch, there is a window of opportunity for hackers to develop exploits which can be launched on unprotected systems. A Zero-day attack is the name given to this kind of exploit. Such a vulnerability is therefore something of value both to malicious attackers and to software vendors.

Some vendors operate a vulnerability rewards program or bug bounty system, where researchers are paid for disclosing bugs (Finifter et al 2013). The first such scheme was launched in 1995 by Netscape as a crowd-sourcing approach to finding vulnerabilities in the 2.0 release of the browser Netscape Navigator.

Now, vendors such as Google, Microsoft, Twitter, and Facebook operate rewards schemes with ever-increasing rewards for discovery of vulnerabilities: Microsoft for example offers up to $15,000 USD for critical vulnerabilities, or up to $100,000 USD for demonstrated novel exploitation techniques, while Google has a Vulnerability Rewards Program which offers up to $20,000 USD for the most critical exploits. In 2015, over $2 million USD was awarded to over 300 recipients.

There is some controversy to such programs and bug-finding competitions, with some questions about the ethics of giving financial rewards (Egelman et al 2013). Not all vendors choose to run programs in this way. Apple, for example, does not run a bug bounty program, but will give full credit to people who disclose vulnerabilities that they have found. The company may choose to run its own internal security team without participating in the arms race of increasing bounties. There is some speculation that the “no financial rewards” policy of Apple was a contributing factor in 2016 when an anonymous hacker presented the FBI with a way to unlock a criminal’s iPhone.

The alternative to disclosing the vulnerability to a vendor is to find a way of exploiting it, for example by selling it to attackers. A zero-day vulnerability which is not disclosed to the software vendor remains exploitable, for months or even for years, until an attack occurs which allows the vulnerability to be discovered. For example, it was reported in January 2015 that the cyber-attack against Sony Pictures took advantage of a zero-day vulnerability allowing them to access the company’s network some months before launching the attack in November 2014. The Stuxnet attack on Iran’s nuclear weapons program in 2009, also used several zero-day exploits.

The value of vulnerabilities to an attacker, whether they are a single “black hat” hacker, criminal organisation or a nation state, is undeniable. This is the main reason for offering a bug bounty system as an alternative incentive to discoverers of new vulnerabilities. More positively, the sharing of information between researchers working on various bounty programs helps to improve the overall level of security, leading to the discovery of related vulnerabilities and improving defences.